
Bad guys are everywhere, 
good guys are somewhere! 



NSA/CSS Threat Operations Center (NTOC) 
NTOC Technology Development 
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(U) NTOC 




• (U//FOUO) Operates under both SIGINT and 
Information Assurance authorities 

- Leverage SIGINT, IA, OSINT 

• (U//FOUO) Coordinates Integrated Cyber Operations 

- V2: Analysis 

- V3: Operations 

- V4: Technology Development Support 

• V45: Technology Development Division 
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(U) V45 - Projects 

(U//FOUO) TREASUREMAP 

- Massive Internet mapping, exploration, and 
analysis engine 

(U//FOUO) PACKAGEDGOODS 

- Globally dispersed traceroute generators 

(U) Other Projects 
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(U) What is TREASUREMAP? 

(U//FOUO) Capability for building a near real-time, interactive 
map of the global internet. 

Map the entire Internet - Any device*, anywhere, all the time 

(U//FOUO) We enable a wide range of missions: 

• Cyber Situational Awareness - your own network plus adversaries’ 

• Common Operation Pictures (COP) 

• Computer Attack/Exploit Planning / Preparation of the Environment 

• Network Reconnaissance 

• Measures of Effectiveness (MOE) 

(* limited only by available data) 
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TREASUREMAP 
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• (U//FOUO) Continual generation of global Internet 
map, IPv4 and IPv6 (limited) 

• (U//FOUO) Focus on logical layers (router and 
autonomous system), but touches physical, data 
link, and application layers 

• (U) Its Huge. 
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/ 

TREASUREMAP as an Enabler 

lTT< 
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(U) Current State 




• (U//FOUO) Data Sources 

- Open Source Intelligence (OSINT) * <6 Academic 

- Commercially Acquired 

- SIGINT 

- Information Assurance 

• (U//FOUO) Available on multiple networks to many user groups 

- NSAnet-TREASUREMAP (TM) 

• 5-Eyes partners 

♦ JWICS users - USG 1C 

- SIPRNet - USG 1C /DoD - TREASUREMAP-SIPR (TM-S) 

• (U) New capabilities delivered every 90 days 

• (U) 30+ Gigabytes of additional data added and replaced per day 

(* OSINT - Open Source / Publicly available Internet Meta-Data) 

' ^ 
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(U) Data Sources 

Feed the Machine 
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(U) OSINT, Commercial & Academic^ 




• (U//FOUO) BGP 

- Gives the 300,000 foot view of the Internet 

- Defines routing across Autonomous Systems (AS) 

- Origination of IP address spaces (Prefixes) to AS 

- How the Internet gets knowledge of itself (IP address space) 

- Commericaly purchased Data Sources 

• Akamai, SOCIALSTAMP, SEASIDEFERRY 

- Open Source 

• Public BGP, IXP (RIPE), APNIC, ROUTEVIEWS, CERNET 
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(U) OSINT, 



Commercial & Academic 




• (U//FOUO) Traceroutes 

- Router -to- router links to targeted IP addresses 

- Creates links between networking devices (routers) 

- TM ingests approx. -16-18 million traceroutes daily 

- Gives the 300 foot view, router-to-router infrastructure 

- Data Sources 

• ARK - CAIDA’s Archipelago Project * 

• PACKAGEDGOODS * 

• SOCIALSTAMP 

• RUSTICBAGGAGE 

• User Input 
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(U) OSINT, 



Commercial & Academic 




• (U) Registries - Information on netblock and AS ownership 

• (U) DNS - IP address to domain name matching 

• (U) Operating System (OS) Fingerprints 

- Software and Operating System characteristics of networked 
devices 

30-50 million unique IP addresses represented per day 
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(U//FOUO) Traceroutes: PACKEGEDGOODS 




• (U//FOUO) Collects “network measurement” data, on public internet 

• (U) Random traceroutes and user requested 

• (U//FOUO) PG-GTR 

- Currently using -700 public traceroute sites to perform operations 

- High target (full IP addresses) 

- Capable of -4K IPv4 and IPv6 traceroutes daily 

• (U//FOUO) PG-Server 

- High volume: ~6.5 million traceroutes per day 

- Low targeting: IPv4 /24 netblocks or higher 

- Can do whole ASes, Country, Netblocks 

- 13 covered servers in unwitting data centers around the globe 

• Asia: Malaysia, Singapore, Taiwan, China (2), Indonesia, Thailand, India 

• Europe & Russia: Poland, Russia, Germany, Ukraine, Latvia, Denmark 

• Africa: South Africa 

• South America: Argentina, Brazil 
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(U) Coming Soon! 

• (U//FOUO) PG-Server 2.0 

- Tasking of full IP address 

- Choice of traceroute types: 

• ICMP 

• ICMP Paris 




• TCP 

• UDP 

- Choice of PG-SVR (for source of traceroute) 

- Auto- refresh 
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(U) Traceroutes - CAIDA 




• (U) University of California, San Diego 

- Cooperative Association for Internet Data Analysis 

- Archipelago measurement platform 

• (U//FOUO) TM data source: ARK 

• (U) High volume: ~10 million traceroutes per day 

• (U) Random targeting (/24 netblock, BGP advertised) 

• (U) 44 Locations: Asia (5), Europe (15), Africa (2), North 
America (18), South America (2), Oceania (2) 
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Internal Sources 




(Protected Sources! 



- (U//FOUO) PACKAGEDGOODS - NTOC 

• (S) Clandestine traceroute and DNS processor 

- (S//SI//REL) BLACKPEARL- 

• SIGINT session 5-tupel, identified routers, routing protocols, SIGINT access points, 
(inferred SIGINT access points) 

- (S//SI//REL) LEAKYFAUCET - 

• Flow repository of 802.11 WiFi IP addresses and clients via STUN data 

- (S//SI//R EL) HYDROCASTLE- / 

• 802.11 configuration data extracted from CNE activity in specific locations 

• (Requires HYDROCASTLE account) 

- (S//SI//REL) MASTERSHAKE- 

• FORNSAT and WiFi collection data 

- (S//SI//REL) S-TRICKLER - NTOC 

• IP address fingerprints and potential vulnerabilities from FORNSAT collection 
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Internal Sources 




(Protected Source). 



- (S//SI//REL) TOYGRIPPE- 

• Repository of VPN endpoints 

- (S//SI//REL) DISCOROUTE- /GCHQ 

• Router configuration files from CNE and passive SIGINT 

• NAC’s DISCOROUTE repository 

- (TS//SI//REL) VITALAIR2- 

• Automated scaned IP addresses for TAO known vulnerabilities 

- (U//FOUO) IPGeoTrap - 

• Provides geolocation services for IP addresses/ranges 

- (TS//SI//REL) JOLLYROGER- / 

• Provides metadata that describes the networking environment of TAO- 
implanted Windows PCs 

• (Requires JOLLYROGER account) 

- (U//FOUO) TUTELAGE - NTOC 

• Specific alerts from intrusion detection sensors 

• (not currently active) 

, . / v 
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(U) The Whole is Greater 
than the Sum of the Parts 
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(U) Data Relationships 



Router 

Configuration 

Files 



BGP 

Advertisements 



IP 

Geolocation 



OS 

Fingerprints 



Traceroutes 



Autonomous 

System 



Router 



IP Prefix 



Countr 

Ex.H 



IP Address 



Domain 

Names 



SIG AD/CASN 



MAC Address 



Netblock 



Network 



Owner 



Yellow links denotes direct relationships between data types. 

For example, we know which AS contains a router because we can relate a router to IP Addresses, 
IP Addresses to IP Prefixes, then IP Prefixes to an AS. 

/ S— 
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IPv4 & IPv6 
Announcements 



19 additional peers 



2939G 



17557 






Potential Satellite Hops 



<5595 



Graph simplified for presentation purpose 



Stub AS: Multi-homed & Single homed 



(U) Autonomous System Peering - BGP 
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(U) ... and Registries 





13 




urOUnet Network, The 
He liter ItiriJ* 



INTAL-ASW Intal Telecom 
TTl TKOH-AT Tplelmm Ai Ktria r> v 

Auloi kwiousS y stem 

w 

I / 

\ / / 




f v \k? 

PJJj I 

IS 



/ 



Li 




H f £ 

lit \ ' ■ 



/ 




31500 



k" 



'v 



Gl ORAI NFT-AS ISC Q OR A I tJFT 



( 9121 







19 




SOVAM & tLVi Sorinljfl 



IIC 



y 17557 



TTTJFTTTnpt Autonomous 
S/stem 




pktti roowAS-fK f-nkist™ 

Telecui nr riuri iuiUor i Cu ri tp<j 17 
j I iiiiitcd 

/ \ s 

/ 

/ \ 




3 

>-( *03 




11 / 




MR 

3356 A 



MASKCOM-PK-AS-AP Maskadya 
Cui rir riiM liialior is (I >v L) 

ltd 





LEVEL3 Level 3 CommifikatJons 



RUNNET State Institute NORLiUMi l NOKUUnol 
of Information I eelmo logics 
and 

1 \ 

W >k 





TRCC-NCT-AS fRQInet 



STNCiTFI -AS- A P Singapore 
Telecommunications Ltd 



TMNrT-AS-AP TM Not, Internet .p 

Ser vice Pi ovider PKTFI FCOM- AS-PK Pak isfan 
Telecom Company Limited 



Graph simplified for presentation purpose 
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/ 

Internet “flow” to a “Network” 

i nr 





Graph simplified for presentation purpose 



They’re color-coded by country. Big deal. 
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(U) With Traceroute... 



a 
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RFC1918 Addresses 
(private IP address space) 



Graph simplified for presentation purpose 
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(U) ... and DNS 
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Graph simplified for presentation purpose 
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(U) IP Geolocation Data 



^Correlate IP addresses with country, latitude and longitude (via IPGeoTrap) 



TS//SWREL TO USA, FVEY 








TS//SI//REL TO USA, FVEY 




TS//SI//REL TO USA, FVEY 




[GPR.1MC - tSP'in 



TELIANfc T?llci'\le:Clob.nl 
KNv* h k 



TH\IE~ AS A P TMNet, internet 

L*ff V I f ^ UvT-fcff 



•F " VTFI FCOTvVASDHb 
I e eco *n L I C 



TTHETT neiAurroinoiiE 



VIZA^TCAKSIT -A>AP DG_ 
iVsrv ce =ro^der 



ASTO V( ri/mRu! im* 

HMzA - Comnaxld JP 
service provjcer ir Ea'ODe 



GBLXGlcba Crossing 
Ltd. 



kWCa^-AS-AP M-f ;</ 
Ccnmunicadcrs (-M) 
Ltd 



.CKSIA^CJO^blAK-Dii-ec: 
vers l global ne^vcrk 



Red Ringed Node: 

Nodes within AS are SIGINT Referenced 



Graph simplified for presentation purpose 



(S//SI//REL) Bring the SIGINT (AS Level)-® 



Red Links: 




Red Core Nodes: 


SIGINT Collection access points between two 




SIGINT Collection access points within AS 


ASes 

1 


Ri 


■ 



TS//SI//REL TO USA, FVEY 







TS//SI//REL TO USA, FVEY 



TS//SWREL TO USA, FVEY 



(S//SI//REL) Traceroute - overlaid with SIGINT 

and other 



TOYGRIPPE (VPN) 






OS Fingerprints 



Router Configuration 
Router Vendor:Cisco 
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Node Referenced in SIGINT 



DoD Shields: DoD IP Addresses 



Underscore AS: “Operational” AS 
12880 













TS//SI//REL TO USA, FVEY 




(S//SI//REL) Known Devices 

- (S//SI//REL) Sources: DISCOROUTE (NAC router configuration repository) 




- (S//SI//REL) Display supporting infrastructure, as configured in router 
configuration files 



• Where router accessed from 
(possible NOC?) 

• servers configured for router 
(NTP, DNS, Radius, TACACS ) 
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(S//SI//REL) Known Devices 




- (S//SI//REL) Sources: DISCOROUTE (NAC router configuration 
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(S//SI//REL) 
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Cisco Discovery Protocol (CDP) r 
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(U//FOUO) 802.11 WiFi Data 




- (U//FOUO) Display and correlation of 802.11 wireless 



networks and RFC1918 clients 
- (S//SI//REL) Sources 




(* HYDROCASTLE account required) 
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(U) Communities 



- (S//SI//REL) Individual IP addresses related 
common attribute 




• TOR router 

• Servers (DNS, NTP, SNMP, TACACS, RADIUS) 

• Hide IP NG Proxy Servers 

• BYZANTINE HADES Infrastructure hosts/infected hosts 



- (S//SI//REL) Sources: (Varies) 

• Currently TOR router advertisements 
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(U) Country (AS Presence) 
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(U//FOUO) TREASUREMAP Workspace 




• (U//FOUO) Toolbar: Offers access to a variety of commonly used 
functions 

• (U//FOUO) Search Pane: Input search parameters 

• (U//FOUO) Advanced Search Options: Preferences for searches 

• (U//FOUO) Release my search to PG: Requesting traceroutes for 
target IP addresses 

• (U//FOUO) Other Searches: Includes Router, DNS, Batch 
IP/MAC and JOLLYROGER 

• (U//FOUO) Legend: Contains all of the icons and decorations as 
seen in an active graph 

• (U//FOUO) Send Feedback: Provides a way to communicate 
questions, comments or problems to the TREASUREMAP team. 
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/ 

(U//FOUO) TREASUREMAP Search Items r 

1. (U//FOUO) IP Address 

2. (U//FOUO) Routers 

3. (U//FOUO) DNS (FQN) 

4. (U//FOUO) MAC address/ 802.11 BSSID/ 802.11 SSID 

5. (U//FOUO) IP Prefix / Range (CIDR Notation) 

6. (U//FOUO) Registry Netblock 

7. (U//FOUO) SIGAD and/or Case Notation 

8. (U//FOUO) Country / IP Country Code 

9. (U//FOUO) Autonomous System (AS) Number 

10. (U//FOUO) Free Text 
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(S//SI//REL) User Interface: NAVS 
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(UFOUO) User Interface: Website 



* HOME 



iMl£ LKLA2 LLUUJaJ' 



Small text-based qu eries 



QCQEKk 



s i • i ra il 



Video 

Tutorials 



. lii.-*.' J 'jLiltjlL 



:UiiAuLi.b3c3?£TnGilTOU n r 



TPJLA5 u FEMAT 



tfuili FSU 0 urJL?nii f.io |HrJi-iM.-.'vk> 



"A hi rn 



Ci.^:n:-.r > To:-rfi-V-.F 



UiEE? 



P,\<.KiCOCOODS 



data 



TOOL 9 



l - . AT .1 JTR- y 



iir-'TOTOj On Friti y/Zl'i Frbi mn ITlIll 1 1 ^inisirmirl/ I rfhll TfTT. TRT -1 Ml H FT.T.r P dr^il* pd in ijiliu: li 111 : IT 1 1 1 ■ • i*^ a shirul irc-.i«Tbi im j/kaM: iann:l r*nr •.vxlrai Yin iac-nr.-tlir .Ti malms: viih ihr am ai:n »m, n:Vr I 

T rs.\: c ■] vjih VjFdlc' rrLiM. j j n±> k J . II! s ■ ilw uy}r*rr>] ivuCuii'i ulVcwii ciwruci ui. #.• w mimic winf. Ok- vuirii fj cvjm n >k Uv i 'W'ijL OnLLir rvi ihu <J i Up >J au ' «/uil win j#,n. lAniniv U v#.'r in ki ihc >.urrv.al 

WTrtlll. 



T^e lUilVJl I-'jJyLAI' y : vj j*; a ml* . ;*’J hnt<-. urr.vv hv? j n\> <c itx- £ >: d Ey bj;in.z : ut l»; :'< —?ut. 

c< A_jsixj?i, vlC _IT, mJ JS* cate, -it; TEJcU; . -•'Ikt-Lx.-' :rc«i:'« ?. :>xy» : » j;cr >ri*h*<xt:; oc n::.ie£t. 

in: ju< nfTsV : rla : k‘: : r<-^i u < =%r:arje£ ?_jJ J< :itj: ?J ix;?.s*-vclvr*:. v :!♦::? 1 Lr.£lK!iu <• >rjrir_ x.t :u<lt a; j.:h=- vU. 

p.-.l;. '. 1 .0 1 1 xl. 11 -jlk 1 !., . via-^fi, virti u.c*. ;> > ;lnn: l .-id cvLiUul :isl .-aJ.i..i ,c* wjIoci.-.jljLv u'a rl.J : J v.iJj u: .vvi jl 

laluiv vju : vvssLlJ k’Z. 1 : utl<- vc j. Ii/\\a a v tii- 4 ';, vj-out mi.i-'/iL; j v-A'sl. 1 urkvock xi.lv.i; va : -uiliutr 



TFTASl'R'n.lAP nn Ink'll iF lillg i: «V j* >>,>gi r>llii»ii j»i-.-i9»<r 

TREi'uTL'FJntP un "[PR li.lp.'/vil.Ji j;«uuir..|cv; tiwiaJoil' 
IKEASLULHAT 411 . ‘.YfcJ-fPfr 



IJUjIffllliliattJ' Uctp UNh 



Ciiciuuiuln 

CusaxBf i rv- tt.tr>: 



On-line Hell 



v-.<tvin:<£ 

Eurr\ /umber, IP .Miras .if Piell5.«r C iinn?: 



TTXiillKEXL J 



:i i ij|i i n ►: till "HSA. Jrd Pi i K and Tm»lin\ l\nik 

Olfc-rlrouJIFik* f & "3 i IiaI J.K.K 



|JJL>. >.i. js.v w. J.* -u>j Lvjva* tv v_ v Iiu:n^ v_Kj 

►Via- l VjHjJll ”1 ■:• 

► >„.a- I . d_> L.^.- A -j. i- lu-L 



1 LstL i ; itzs&it . LtamLMaJ 

V Y vr l- PsiP-r r tv T ?Asrrl- 
►V ia -1 P:if n ir '■.> ff :■ it:* 

►£^L»2aCja. v ; uuu^^jeainii iliufcat iui 

■ J.y.7 1 : J'rtr:rj. -x.-v. . trs<^;r 

> I vx l- r t '.'.nirrj'T A:i i^-ciysw'- 

► V ia* L T^ik-i:* Fn- J >i:% 

i*K ja- I . L^aiI k 'ixvgA- Euji 



r j.- ii i ■ v ^Luvt'J 

! U.-kD^Ac-vuJ T FvZ ,'S IeJL <j. l.;.. 

LSxuk W^e ur-Jlk/ xn3 CU:r Hu nrj«<kAn:. 

Rij h: ijriiii -in -rr^j. Ii : i : *►» { -Inrli J 

*- ullii - K.hifrli- ^ ji m 



ncEA^UEEXL-kFFJHirv fcalam 

•> t UV <i i #VUI J.S X JJll . A.l-f V4 A, i JI3L>:^ J.vl. Jbi. 

LiJUV VU.f JCIV 5 Jlv*^ 0 :J 

• r vsv gtfva t;iU? wli-;>» J S IPx.x iz 

L<.iii Miv j Cyjuvi c.. L-''.:.xli .£•]. 

► Kuv («Mlui'%4ldLitV k- ?vLi J Po-V^li? Cn STvb 

» Kixv i:«:x1:illi :• •/iiriv iri:L r ~ : ::rT^iJr-1 

Trm:r**J :< miiiii %*i->j<> 

» Kixv n-. ii 9«): ■iixv- vrillir Ii : " ::-r \|--ri •■ r ii:iv IrnLn 

• Vi Km « h l-lr "ft T-'.Ttil 1 / v nd* T v '’^^tT « ^ 'ft " r^* * 
i-'.Tlify nnbftftl v^ris pr-rt? 

- Tiyp-'-’T-d -s;*v-i Hit? 

V Vi tra T'Jf. rKkrk :T-m.h r.v^ -i 

» Vi a v. imj.iv.Tirr. T..w.k- * i.t .if r • • TT:T^ 

Vi- i-i-ft 

a Vftwfrnrh fyr.ti.-.n.-i t/ 1 .-> rr.tr-. ■ ■ t rft HR" AfTT 

’ii; a:h^ At J kd_> < < Ll<ith xai £L>i rvJta: y : v : 

• iidu.t: :>i ■*J3v r^.tAg < a_>j: ilhr: 

- rUL/< : JL •J_LU-‘. C ?J<vuio.' ^y%v £t-f >< rfc 11' '-'0 

- 1 ' «? .1 ><« it ju >n k* a;£i:r ji I : < jtha r^YV : : un u> !<■ 



New 

Features 

Update 



TS//SI//REL TO USA, FVEY 









TS//SI//REL TO USA, FVEY 

/ 
r 

(U//FOUO) TREASUREMAP Contact I nf o r 




• Customer Support Team 




✓ ^ 





TS//SI//REL TO USA, FVEY 








